Library mont_square_triple

Require Import ssreflect ssrbool eqtype.
Require Import Arith_ext ZArith_ext Lists_ext.
Require Import machine_int multi_int.
Import MachineInt.
Require Import mips_seplog mips_contrib mips_tactics mapstos.
Require Import mont_mul_prg.

Local Open Scope machine_int_scope.
Local Open Scope eqmod_scope.
Local Open Scope zarith_ext_scope.
Local Open Scope heap_scope.
Import expr_m.
Local Open Scope mips_expr_scope.
Import assert_m.
Local Open Scope mips_assert_scope.
Local Open Scope mips_cmd_scope.
Local Open Scope mips_hoare_scope.
Local Open Scope nodup_scope.

Lemma mont_square_triple : forall k alpha x z m one ext int_ X_ Y_ M_ Z_ quot C t s_ : reg,
  nodup(k, alpha, x, z, m, one, ext, int_, X_, Y_, M_, Z_, quot, C, t, s_, r0) ->
  forall nk valpha vx vm vz X M,
    u2Z (nth 0 M zero32) * u2Z valpha =m -1 {{ Zbeta 1 }} ->
    length X = nk -> length M = nk -> u2Z vz + 4 * Z_of_nat nk < Zbeta 1 ->
    Sum nk X < Sum nk M ->
{{ fun s h => [x]_s = vx /\ [z]_s = vz /\ [m]_s = vm /\ u2Z [k]_s = Z_of_nat nk /\ [alpha]_s = valpha /\
  (var_e x |--> X ** var_e z |--> rep zero32 nk ** var_e m |--> M) s h /\ store.multi_null s }}
montgomery k alpha x x z m one ext int_ X_ Y_ M_ Z_ quot C t s_
{{ fun s h => exists Z, length Z = nk /\ [x]_s = vx /\ [z]_s = vz /\
  [m]_s = vm /\ u2Z [k]_s = Z_of_nat nk /\ [alpha]_s = valpha /\
  (var_e x |--> X ** var_e z |--> Z ** var_e m |--> M) s h /\
  Zbeta nk * Sum (S nk) (Z ++ [C]_s :: nil) =m Sum nk X * Sum nk X {{ Sum nk M }} /\
  Sum (S nk) (Z ++ [C]_s::nil) < 2 * Sum nk M /\
  u2Z [t]_s = u2Z vz + 4 * Z_of_nat (nk - 1) }}.
Proof.
move=> k alpha x z m one ext int_ X_ Y_ M_ Z_ quot C t s_
  Hset nk valpha vx vm vz X M Halpha Hx Hm Hnz HX.
rewrite /montgomery.

NextAddiu.
move=> s h [r_x [r_z [r_m [r_k [r_alpha [Hmem Hmu]]]]]].
rewrite /wp_addiu.
repeat reg_upd; repeat (split; trivial).
by Assert_upd.
by rewrite store.multi_null_upd.

NextAddiu.
move=> s h [[[r_x [r_z [r_m [r_k [r_alpha [Hmem Hmu]]]]]]] r_one].
rewrite /wp_addiu.
repeat reg_upd; repeat (split; trivial).
by Assert_upd.
by rewrite store.multi_null_upd.

NextAddiu.
move=> s h [[[[r_x [r_z [r_m [r_k [r_alpha [Hmem Hmu]]]]]]] r_one] r_C].
rewrite /wp_addiu.
repeat reg_upd; repeat (split; trivial).
by Assert_upd.
by rewrite store.multi_null_upd.

apply hoare_prop_m.hoare_while_invariant with (fun s h => exists Z, exists next, length Z = nk /\
  [x]_s = vx /\ [z]_s = vz /\ [m]_s = vm /\ u2Z [k]_s = Z_of_nat nk /\
  [alpha]_s = valpha /\ (var_e x |--> X ** var_e z |--> Z ** var_e m |--> M) s h /\
  u2Z [ext]_s = Z_of_nat next /\ u2Z [ext]_s <= u2Z [k]_s /\ [one]_s = one32 /\
  (next <> O -> u2Z [t]_s = u2Z vz + 4 * Z_of_nat (nk - 1)) /\
  (exists K, Zbeta next * Sum (S nk) (Z ++ [C]_s :: nil) = Sum next X * Sum nk X + K * Sum nk M /\
    Sum next X * Sum nk X + K * Sum nk M < 2 * Sum nk M * Zbeta next)).

move=> s h [[[[r_x [r_z [r_m [r_k [r_alpha [Hmem Hmu]]]]]] r_one] r_C] r_ext].
exists (rep zero32 nk), O; repeat (split => //).
by apply len_rep.
by rewrite r_ext sext_Z2u // add_0 store.get_r0 u2Z_Z2u.
rewrite r_ext sext_Z2u // add_0 store.get_r0 u2Z_Z2u //; by apply min_u2Z.
apply u2Z_inj; by rewrite r_one sext_Z2u // add_com store.get_r0 add_0 u2Z_Z2u.

exists 0.
have -> : rep zero32 nk ++ [C ]_ s :: nil = rep zero32 (S nk).
  rewrite rep_last; repeat f_equal.
  apply u2Z_inj; by rewrite r_C sext_Z2u // add_0 store.get_r0.
rewrite Sum_rep_0.
split; first by done.
rewrite Zmult_1_r !Zmult_0_l Zplus_0_l; apply Zmult_lt_0_compat; first by done.
apply Zle_lt_trans with (Sum nk X); [by apply min_Sum | done].

move=> s h [[Z [next [HZ [r_x [r_z [r_m [r_k [r_alpha [Hmem [Hext [Hextk' [Hone [Ht Hinv]]]]]]]]]]]]] Hextk].
rewrite /= r_k Hext in Hextk; move/negPn : Hextk; move/Zeq_boolP; move/Z_of_nat_inj => ?; subst next.

exists Z; do 7 (split; trivial).
case: Hinv => K [Hinv1 Hinv2].
split; first by exists K.
split.
apply Zmult_gt_0_lt_reg_r with (Zbeta nk).
apply Zlt_gt; by apply Zbeta_0.
by rewrite Zmult_comm Hinv1.
apply Ht; by destruct nk.

apply hoare_lwxs_back_alt'' with (fun s h => exists Z, exists next, length Z = nk /\
  [x]_s = vx /\ [z]_s = vz /\ [m]_s = vm /\ u2Z [k]_s = Z_of_nat nk /\ [alpha]_s = valpha /\
  (var_e x |--> X ** var_e z |--> Z ** var_e m |--> M) s h /\
  u2Z [ext]_s = Z_of_nat next /\ u2Z [ext]_s < u2Z [k]_s /\ [one]_s = one32 /\
  (exists K, Zbeta next * Sum (S nk) (Z ++ [C]_s :: nil) = Sum next X * Sum nk X + K * Sum nk M /\
    Sum next X * Sum nk X + K * Sum nk M < 2 * Sum nk M * Zbeta next) /\
  (next < nk)%nat /\ [X_]_s = nth next X zero32).

move=> s h [ [Z [next [HZ [r_x [r_z [r_m [r_k [r_alpha [Hmem [r_ext [Hextk' [Hone [Ht Hinv]]]]]]]]]]]]] Hextk].
rewrite /= r_ext r_k in Hextk, Hextk'.
move/Zeq_boolP : Hextk => Hextk; move/Z_of_nat_le_inj : Hextk' => Hextk'.
have {Hextk}Hextk : next <> nk by contradict Hextk; rewrite Hextk.

exists (nth next X zero32); split.
- Decompose_32 X next X1 X2 HlenX1 HX'; last by rewrite Hx; apply le_neq_lt.
  rewrite HX' (decompose_equiv _ _ _ _ _ HlenX1) !assert_m.con_assoc_equiv assert_m.con_com_equiv !assert_m.con_assoc_equiv in Hmem.
  move: Hmem; apply monotony => // h'.
  apply mapsto_ext => //.
  by rewrite [mult]lock /= -lock shl_Z2u r_ext inj_mult Zmult_comm.
- rewrite /update_store_lwxs.
  exists Z, next; repeat reg_upd; repeat (split; trivial).
  by Assert_upd.
  rewrite r_ext r_k; apply inj_lt_iff; by apply le_neq_lt.
  by apply le_neq_lt.

apply hoare_lw_back_alt'' with (fun s h => exists Z, exists next, length Z = nk /\
  [x]_s = vx /\ [z]_s = vz /\ [m]_s = vm /\ u2Z [k]_s = Z_of_nat nk /\ [alpha]_s = valpha /\
  (var_e x |--> X ** var_e z |--> Z ** var_e m |--> M) s h /\
  u2Z [ext]_s = Z_of_nat next /\ u2Z [ext]_s < u2Z [k]_s /\ [one]_s = one32 /\
  (exists K, Zbeta next * Sum (S nk) (Z ++ [C]_s :: nil) = Sum next X * Sum nk X + K * Sum nk M /\
    Sum next X * Sum nk X + K * Sum nk M < 2 * Sum nk M * Zbeta next) /\
  (next < nk)%nat /\ [X_]_s = nth next X zero32 /\ [Y_]_s = nth O X zero32).

move=> s h [Z [next [HZ [r_x [r_z [r_m [r_k [r_alpha [Hmem [r_ext [Hextk' [Hone [Hinv [Hextk r_X_]]]]]]]]]]]]]].

destruct X as [| hdx tlx]; first by destruct nk.
exists hdx; split.
rewrite [assert_m.mapstos _ _]/= !assert_m.con_assoc_equiv in Hmem.
move: Hmem; apply monotony => // h'.
apply mapsto_ext => //=; by rewrite sext_0 add_0.

rewrite /update_store_lw.
exists Z, next; repeat reg_upd; repeat (split; trivial).
by Assert_upd.

apply hoare_lw_back_alt'' with (fun s h => exists Z, exists next, length Z = nk /\
  [x]_s = vx /\ [z]_s = vz /\ [m]_s = vm /\ u2Z [k]_s = Z_of_nat nk /\ [alpha]_s = valpha /\
  (var_e x |--> X ** var_e z |--> Z ** var_e m |--> M) s h /\
  u2Z [ext]_s = Z_of_nat next /\ u2Z [ext]_s < u2Z [k]_s /\ [one]_s = one32 /\
  (exists K, Zbeta next * Sum (S nk) (Z ++ [C]_s :: nil) = Sum next X * Sum nk X + K * Sum nk M /\
    Sum next X * Sum nk X + K * Sum nk M < 2 * Sum nk M * Zbeta next) /\
  (next < nk)%nat /\ [X_]_s = nth next X zero32 /\
  [Y_]_s = nth O X zero32 /\ [Z_]_s = nth O Z zero32).

move=> s h [Z [next [HZ [r_x [r_z [r_m [r_k [r_alpha [Hmem [r_ext [Hextk' [Hone [Hinv [Hextk [r_X_ r_Y_]]]]]]]]]]]]]]].

destruct Z as [| hdz tlz]; first by destruct nk.
exists hdz; split.
rewrite assert_m.con_assoc_equiv assert_m.con_com_equiv /= !assert_m.con_assoc_equiv in Hmem.
move: Hmem; apply monotony => // h'.
apply mapsto_ext => //=; by rewrite sext_0 add_0.
rewrite /update_store_lw.
exists (hdz :: tlz), next; repeat reg_upd; repeat (split; trivial).
by Assert_upd.

apply hoare_multu with (fun s h => exists Z, exists next, length Z = nk /\
  [x]_s = vx /\ [z]_s = vz /\ [m]_s = vm /\ u2Z [k]_s = Z_of_nat nk /\ [alpha]_s = valpha /\
  (var_e x |--> X ** var_e z |--> Z ** var_e m |--> M) s h /\
  u2Z [ext]_s = Z_of_nat next /\ u2Z [ext]_s < u2Z [k]_s /\ [one]_s = one32 /\
  (exists K, Zbeta next * Sum (S nk) (Z ++ [C]_s :: nil) = Sum next X * Sum nk X + K * Sum nk M /\
    Sum next X * Sum nk X + K * Sum nk M < 2 * Sum nk M * Zbeta next) /\
  (next < nk)%nat /\ [X_]_s = nth next X zero32 /\
  [Y_]_s = nth O X zero32 /\ [Z_]_s = nth O Z zero32 /\
  store.utoZ s <= (Zbeta 1 - 1) * (Zbeta 1 - 1) /\
  store.utoZ s = u2Z (nth next X zero32) * u2Z (nth O X zero32)).

move=> s h [Z [next [HZ [r_x [r_z [r_m [r_k [r_alpha [Hmem [r_ext [Hextk' [Hone [Hinv [Hextk [r_X_ [r_Y_ r_Z_]]]]]]]]]]]]]]]].

exists Z, next; repeat reg_upd; repeat (split; trivial).
by Assert_upd.
rewrite store.utoZ_multu; by apply max_u2Z_umul.

by rewrite store.utoZ_multu u2Z_umul r_X_ r_Y_.

apply hoare_lw_back_alt'' with (fun s h => exists Z, exists next, length Z = nk /\
  [x]_s = vx /\ [z]_s = vz /\ [m]_s = vm /\ u2Z [k]_s = Z_of_nat nk /\ [alpha]_s = valpha /\
  (var_e x |--> X ** var_e z |--> Z ** var_e m |--> M) s h /\
  u2Z [ext]_s = Z_of_nat next /\ u2Z [ext]_s < u2Z [k]_s /\ [one]_s = one32 /\
  (exists K, Zbeta next * Sum (S nk) (Z ++ [C]_s :: nil) = Sum next X * Sum nk X + K * Sum nk M /\
    Sum next X * Sum nk X + K * Sum nk M < 2 * Sum nk M * Zbeta next) /\
  (next < nk)%nat /\ [X_]_s = nth next X zero32 /\ [Y_]_s = nth O X zero32 /\
  [Z_]_s = nth O Z zero32 /\ store.utoZ s <= (Zbeta 1 - 1) * (Zbeta 1 - 1) /\
  store.utoZ s = u2Z (nth next X zero32) * u2Z (nth O X zero32) /\
  [M_]_s = nth O M zero32).

move=> s h [Z [next [HZ [r_x [r_z [r_m [r_k [r_alpha [Hmem [r_ext [Hextk' [Hone [Hinv [Hextk [r_X_ [r_Y_ [r_Z_ [Hm1 Hm2]]]]]]]]]]]]]]]]]].
destruct M as [| hdm tlm]; first by destruct nk.
exists hdm; split.
rewrite assert_m.con_com_equiv /= !assert_m.con_assoc_equiv in Hmem.
move: Hmem; apply monotony => // h'.
apply mapsto_ext => //=; by rewrite sext_0 add_0.

exists Z, next; repeat reg_upd ;repeat (split; trivial).
by Assert_upd.

apply hoare_maddu with (fun s h => exists Z, exists next, length Z = nk /\ [x]_s = vx /\
  [z]_s = vz /\ [m]_s = vm /\ u2Z [k]_s = Z_of_nat nk /\ [alpha]_s = valpha /\
  (var_e x |--> X ** var_e z |--> Z ** var_e m |--> M) s h /\
  u2Z [ext]_s = Z_of_nat next /\ u2Z [ext]_s < u2Z [k]_s /\ [one]_s = one32 /\
  (exists K, Zbeta next * Sum (S nk) (Z ++ [C]_s :: nil) = Sum next X * Sum nk X + K * Sum nk M /\
    Sum next X * Sum nk X + K * Sum nk M < 2 * Sum nk M * Zbeta next) /\
  (next < nk)%nat /\ [X_]_s = nth next X zero32 /\ [Y_]_s = nth O X zero32 /\
  [Z_]_s = nth O Z zero32 /\ store.utoZ s <= Zbeta 1 * (Zbeta 1 - 1) /\
  store.utoZ s = u2Z (nth next X zero32) * u2Z (nth O X zero32) + u2Z (nth O Z zero32) /\
  [M_]_s = nth O M zero32).

move=> s h [Z [next [HZ [r_x [r_z [r_m [r_k [r_alpha [Hmem [r_ext [Hextk' [Hone [Hinv [Hextk [r_X_ [r_Y_ [r_Z_ [Hm1 [Hm2 r_M_]]]]]]]]]]]]]]]]]]].

exists Z, next.

have Htmp : store.utoZ s < Zbeta 2 * (2 ^^ store.acx_size - 1).
  apply Zle_lt_trans with ((Zbeta 1 - 1) * (Zbeta 1 - 1)); first by done.
  apply Zlt_le_trans with (Zbeta 2 * (2 ^^ 8 - 1)); first by done.
  apply Zmult_le_compat_l; last by apply Zbeta_0'.
  apply Zminus_le_compat.
  by apply Zpower_2_le, store.acx_size_min.

repeat reg_upd.
do 7 (split; trivial).
by Assert_upd.
do 8 (split; trivial).
split.

rewrite store.utoZ_maddu // Hone umul_1 u2Z_zext r_Z_.
apply Zle_trans with ((Zbeta 1 - 1) + (Zbeta 1 - 1) * (Zbeta 1 - 1)); last by done.
apply Zplus_le_compat.
apply Zle_minus_1; by apply max_u2Z.
rewrite Hm2 -u2Z_umul; by apply max_u2Z_umul.

by rewrite store.utoZ_maddu // Hone umul_1 u2Z_zext r_Z_ Hm2 Zplus_comm.

apply hoare_mflo with (fun s h => exists Z, exists next, length Z = nk /\ [x]_s = vx /\
  [z]_s = vz /\ [m]_s = vm /\ u2Z [k]_s = Z_of_nat nk /\ [alpha]_s = valpha /\
  (var_e x |--> X ** var_e z |--> Z ** var_e m |--> M) s h /\
  u2Z [ext]_s = Z_of_nat next /\ u2Z [ext]_s < u2Z [k]_s /\ [one]_s = one32 /\
  (exists K, Zbeta next * Sum (S nk) (Z ++ [C]_s :: nil) = Sum next X * Sum nk X + K * Sum nk M /\
    Sum next X * Sum nk X + K * Sum nk M < 2 * Sum nk M * Zbeta next) /\
  (next < nk)%nat /\ [X_]_s = nth next X zero32 /\ [Y_]_s = nth O X zero32 /\
  [Z_]_s = nth O Z zero32 /\ store.utoZ s <= Zbeta 1 * (Zbeta 1 - 1) /\
  store.utoZ s = u2Z (nth next X zero32) * u2Z (nth O X zero32) + u2Z (nth O Z zero32) /\
  [M_]_s = nth O M zero32 /\
  [t]_s = ((nth next X zero32 [.*] nth O X zero32) [.+] zext 32 (nth O Z zero32)) [.%] 32).

move=> s h [Z [next [HZ [r_x [r_z [r_m [r_k [r_alpha [Hmem [r_ext [Hextk' [Hone [Hinv [Hextk [r_X_ [r_Y_ [r_Z_ [Hm1 [Hm2 r_M_]]]]]]]]]]]]]]]]]]].

exists Z, next; repeat reg_upd; repeat (split; trivial).
by Assert_upd.

apply store.lo_remainder.
rewrite -plus_assoc; by apply le_plus_r.

rewrite Hm2 u2Z_add //.
by rewrite u2Z_umul u2Z_zext.
rewrite u2Z_zext Zpower_is_exp -Zbeta1_Zpower2 -Zbeta_is_exp /=.
apply Zle_lt_trans with ((Zbeta 1 - 1) * (Zbeta 1 - 1) + (Zbeta 1 - 1)); last by done.
apply Zplus_le_compat.
by apply (@max_u2Z_umul 32).
apply Zle_minus_1; by apply max_u2Z.

apply hoare_mfhi with (fun s h => exists Z, exists next, length Z = nk /\ [x]_s = vx /\
  [z]_s = vz /\ [m]_s = vm /\ u2Z [k]_s = Z_of_nat nk /\ [alpha]_s = valpha /\
  (var_e x |--> X ** var_e z |--> Z ** var_e m |--> M) s h /\
  u2Z [ext]_s = Z_of_nat next /\ u2Z [ext]_s < u2Z [k]_s /\ [one]_s = one32 /\
  (exists K, Zbeta next * Sum (S nk) (Z ++ [C]_s :: nil) = Sum next X * Sum nk X + K * Sum nk M /\
    Sum next X * Sum nk X + K * Sum nk M < 2 * Sum nk M * Zbeta next) /\
  (next < nk)%nat /\ [X_]_s = nth next X zero32 /\ [Y_]_s = nth O X zero32 /\
  [Z_]_s = nth O Z zero32 /\ store.utoZ s <= Zbeta 1 * (Zbeta 1 - 1) /\
  store.utoZ s = u2Z (nth next X zero32) * u2Z (nth O X zero32) + u2Z (nth O Z zero32) /\
  [M_]_s = nth O M zero32 /\
  [t]_s = ((nth next X zero32 [.*] nth O X zero32) [.+] zext 32 (nth O Z zero32)) [.%] 32 /\
  u2Z ([s_]_s [.||] [t]_s) = u2Z (nth next X zero32) * u2Z (nth O X zero32) + u2Z (nth O Z zero32)).

move=> s h [Z [next [HZ [r_x [r_z [r_m [r_k [r_alpha [Hmem [r_ext [Hextk' [Hone [Hinv [Hextk [ r_X_ [r_Y_ [r_Z_ [Hm1 [Hm2 [r_M_ r_t]]]]]]]]]]]]]]]]]]]].

exists Z, next; repeat reg_upd; repeat (split; trivial).
by Assert_upd.

have H : store.lo s = [t]_s.
  rewrite r_t; apply store.lo_remainder.
  + rewrite -plus_assoc; by apply le_plus_r.
  + rewrite Hm2 -u2Z_umul u2Z_add.
    * by rewrite u2Z_zext.
    * rewrite u2Z_zext Zpower_is_exp -Zbeta1_Zpower2 -Zbeta_is_exp /=.
      apply Zle_lt_trans with ((Zbeta 1 - 1) * (Zbeta 1 - 1) + (Zbeta 1 - 1)); last by done.
      apply Zplus_le_compat; by [apply (@max_u2Z_umul 32) | apply Zle_minus_1, max_u2Z].

rewrite -H u2Z_concat -Zbeta1_Zpower2.
rewrite store.utoZ_def store.utoZ_acx_beta2 in Hm2; last by apply Zle_lt_trans with (Zbeta 1 * (Zbeta 1 - 1)).
rewrite u2Z_Z2u in Hm2; last by split; [apply Zle_refl | apply Zpower_0].
rewrite -Hm2; ring.

apply hoare_multu with (fun s h => exists Z, exists next, length Z = nk /\ [x]_s = vx /\
  [z]_s = vz /\ [m]_s = vm /\ u2Z [k]_s = Z_of_nat nk /\ [alpha]_s = valpha /\
  (var_e x |--> X ** var_e z |--> Z ** var_e m |--> M) s h /\
  u2Z [ext]_s = Z_of_nat next /\ u2Z [ext]_s < u2Z [k]_s /\ [one]_s = one32 /\
  (exists K, Zbeta next * Sum (S nk) (Z ++ [C]_s :: nil) = Sum next X * Sum nk X + K * Sum nk M /\
    Sum next X * Sum nk X + K * Sum nk M < 2 * Sum nk M * Zbeta next) /\
  (next < nk)%nat /\ [X_]_s = nth next X zero32 /\ [Y_]_s = nth O X zero32 /\
  [Z_]_s = nth O Z zero32 /\ store.utoZ s <= (Zbeta 1 - 1) * (Zbeta 1 - 1) /\ [M_]_s = nth O M zero32 /\
  [t]_s = ((nth next X zero32 [.*] nth O X zero32) [.+] zext 32 (nth O Z zero32)) [.%] 32 /\
  u2Z ([s_]_s [.||] [t]_s) = u2Z (nth next X zero32) * u2Z (nth O X zero32) + u2Z (nth O Z zero32) /\
  store.utoZ s = u2Z [t]_s * u2Z [alpha]_s).

move=> s h [Z [next [HZ [r_x [r_z [r_m [r_k [r_alpha [Hmem [r_ext [Hextk' [Hone [Hinv [Hextk [r_X_ [r_Y_ [r_Z_ [Hm1 [Hm2 [r_M_ [r_t Hconcat]]]]]]]]]]]]]]]]]]]]].

exists Z, next; repeat reg_upd.
do 6 (split; trivial).
split.
by Assert_upd.
do 8 (split; trivial).
split.
  rewrite store.utoZ_multu; by apply max_u2Z_umul.
do 3 (split; trivial).
by rewrite store.utoZ_multu -u2Z_umul.

apply hoare_addiu with (fun s h => exists Z, exists next, length Z = nk /\ [x]_s = vx /\
  [z]_s = vz /\ [m]_s = vm /\ u2Z [k]_s = Z_of_nat nk /\ [alpha]_s = valpha /\
  (var_e x |--> X ** var_e z |--> Z ** var_e m |--> M) s h /\
  u2Z [ext]_s = Z_of_nat next /\ u2Z [ext]_s < u2Z [k]_s /\ [one]_s = one32 /\
  (exists K, Zbeta next * Sum (S nk) (Z ++ [C]_s :: nil) = Sum next X * Sum nk X + K * Sum nk M /\
    Sum next X * Sum nk X + K * Sum nk M < 2 * Sum nk M * Zbeta next) /\
  (next < nk)%nat /\ [X_]_s = nth next X zero32 /\ [Y_]_s = nth O X zero32 /\
  [Z_]_s = nth O Z zero32 /\ store.utoZ s <= (Zbeta 1 - 1) * (Zbeta 1 - 1) /\ [M_]_s = nth O M zero32 /\
  [t]_s = ((nth next X zero32 [.*] nth O X zero32) [.+] zext 32 (nth O Z zero32)) [.%] 32 /\
  u2Z ([s_]_s [.||] [t]_s) = u2Z (nth next X zero32) * u2Z (nth O X zero32) + u2Z (nth O Z zero32) /\
  store.utoZ s = u2Z [t]_s * u2Z [alpha]_s /\ [int_]_s = one32).

move=> s h [Z [next [HZ [r_x [r_z [r_m [r_k [r_alpha [Hmem [r_ext [Hextk' [Hone [Hinv [Hextk [ r_X_ [r_Y_ [r_Z_ [Hm1 [r_M_ [r_t [Hconcat Hm2]]]]]]]]]]]]]]]]]]]]].

exists Z, next; repeat reg_upd; repeat (split; trivial).
by Assert_upd.
by rewrite add_com add_0 // sext_Z2u.

apply hoare_mflo with (fun s h => exists Z, exists next, length Z = nk /\ [x]_s = vx /\
  [z]_s = vz /\ [m]_s = vm /\ u2Z [k]_s = Z_of_nat nk /\ [alpha]_s = valpha /\
  (var_e x |--> X ** var_e z |--> Z ** var_e m |--> M) s h /\
  u2Z [ext]_s = Z_of_nat next /\ u2Z [ext]_s < u2Z [k]_s /\ [one]_s = one32 /\
  (exists K, Zbeta next * Sum (S nk) (Z ++ [C]_s :: nil) = Sum next X * Sum nk X + K * Sum nk M /\
    Sum next X * Sum nk X + K * Sum nk M < 2 * Sum nk M * Zbeta next) /\ (next < nk)%nat /\
  [X_]_s = nth next X zero32 /\ [Y_]_s = nth O X zero32 /\ [Z_]_s = nth O Z zero32 /\
  store.utoZ s <= (Zbeta 1 - 1) * (Zbeta 1 - 1) /\ [M_]_s = nth O M zero32 /\
  [t]_s = ((nth next X zero32 [.*] nth O X zero32) [.+] zext 32 (nth O Z zero32)) [.%] 32 /\
  u2Z ([s_]_s [.||] [t]_s) = u2Z (nth next X zero32) * u2Z (nth O X zero32) + u2Z (nth O Z zero32) /\
  store.utoZ s = u2Z [t]_s * u2Z [alpha]_s /\ [int_]_s = one32 /\
  [quot]_s = (((nth next X zero32 [.*] nth O X zero32) [.+] (zext 32 (nth O Z zero32)) [.%] 32)
    [.*] [alpha]_s) [.%] 32).

move=> s h [Z [next [HZ [r_x [r_z [r_m [r_k [r_alpha [Hmem [r_ext [Hextk' [Hone [Hinv [Hextk [ r_X_ [r_Y_ [ r_Z_ [Hm1 [r_M_ [r_t [Hconcat [Hm2 Hgrpint_]]]]]]]]]]]]]]]]]]]]]].

exists Z, next; repeat reg_upd; repeat (split; trivial).
by Assert_upd.

apply store.lo_remainder.
- rewrite -plus_assoc; by apply le_plus_r.
- by rewrite Hm2 r_t -u2Z_umul.

apply hoare_mthi with (fun s h => exists Z, exists next, length Z = nk /\ [x]_s = vx /\
  [z]_s = vz /\ [m]_s = vm /\ u2Z [k]_s = Z_of_nat nk /\ [alpha]_s = valpha /\
  (var_e x |--> X ** var_e z |--> Z ** var_e m |--> M) s h /\
  u2Z [ext]_s = Z_of_nat next /\ u2Z [ext]_s < u2Z [k]_s /\ [one]_s = one32 /\
  (exists K, Zbeta next * Sum (S nk) (Z ++ [C]_s :: nil) = Sum next X * Sum nk X + K * Sum nk M /\
    Sum next X * Sum nk X + K * Sum nk M < 2 * Sum nk M * Zbeta next) /\ (next < nk)%nat /\
  [X_]_s = nth next X zero32 /\ [Y_]_s = nth O X zero32 /\ [Z_]_s = nth O Z zero32 /\
  store.utoZ s < Zbeta 2 /\ [M_]_s = nth O M zero32 /\
  [t]_s = ((nth next X zero32 [.*] nth O X zero32) [.+] zext 32 (nth O Z zero32)) [.%] 32 /\
  u2Z ([s_]_s [.||] [t]_s) = u2Z (nth next X zero32) * u2Z (nth O X zero32) + u2Z (nth O Z zero32) /\
  [int_]_s = one32 /\
  [quot]_s = ((((nth next X zero32 [.*] nth O X zero32) [.+] zext 32 (nth O Z zero32)) [.%] 32)
    [.*] [alpha]_s) [.%] 32 /\ store.hi s = [s_]_s).

move=> s h [Z [next [HZ [r_x [r_z [r_m [r_k [r_alpha [Hmem [r_ext [Hextk' [Hone [Hinv [Hextk [r_X_ [r_Y_ [ r_Z_ [Hm1 [r_M_ [r_t [Hconcat [Hm2 [Hgrpint_ r_quot]]]]]]]]]]]]]]]]]]]]]]].

exists Z, next; repeat reg_upd; repeat (split; trivial).
by Assert_upd.
rewrite store.utoZ_def store.hi_mthi_op store.acx_mthi_op store.lo_mthi_op store.utoZ_acx_beta2; last first.
  rewrite Hm2.
  apply Zle_lt_trans with ((Zbeta 1 - 1) * (Zbeta 1 - 1)); last by done.
  rewrite -u2Z_umul; by apply max_u2Z_umul.
rewrite u2Z_Z2u // -Zplus_0_r_reverse.
apply Zle_lt_trans with ((Zbeta 1 - 1) + (Zbeta 1 - 1) * Zbeta 1); last by done.
apply Zplus_le_compat.
apply Zle_minus_1; by apply max_u2Z.
apply Zmult_le_compat_r.
apply Zle_minus_1; by apply max_u2Z.
by apply Zbeta_0'.

by apply store.hi_mthi_op.

apply hoare_mtlo with (fun s h => exists Z, exists next, length Z = nk /\ [x]_s = vx /\
  [z]_s = vz /\ [m]_s = vm /\ u2Z [k]_s = Z_of_nat nk /\ [alpha]_s = valpha /\
  (var_e x |--> X ** var_e z |--> Z ** var_e m |--> M) s h /\
  u2Z [ext]_s = Z_of_nat next /\ u2Z [ext]_s < u2Z [k]_s /\ [one]_s = one32 /\
  (exists K, Zbeta next * Sum (S nk) (Z ++ [C]_s :: nil) = Sum next X * Sum nk X + K * Sum nk M /\
    Sum next X * Sum nk X + K * Sum nk M < 2 * Sum nk M * Zbeta next) /\
  (next < nk)%nat /\ [X_]_s = nth next X zero32 /\ [Y_]_s = nth O X zero32 /\
  [Z_]_s = nth O Z zero32 /\ store.utoZ s < Zbeta 2 /\ [M_]_s = nth O M zero32 /\
  [t]_s = ((nth next X zero32 [.*] nth O X zero32) [.+] zext 32 (nth O Z zero32)) [.%] 32 /\
  u2Z ([s_]_s [.||] [t]_s) = u2Z (nth next X zero32) * u2Z (nth O X zero32) + u2Z (nth O Z zero32) /\
  [int_]_s = one32 /\
  [quot]_s = ((((nth next X zero32 [.*] nth O X zero32) [.+] zext 32 (nth O Z zero32)) [.%] 32)
    [.*] [alpha]_s) [.%] 32 /\
  store.hi s = [s_]_s /\ store.lo s = [t]_s).

move=> s h [Z [next [HZ [r_x [r_z [r_m [r_k [r_alpha [Hmem [r_ext [Hextk' [Hone [Hinv [Hextk [ r_X_ [r_Y_ [r_Z_ [Hm1 [r_M_ [r_t [ Hconcat [Hgrpint_ [r_quot Hm2]]]]]]]]]]]]]]]]]]]]]]].

exists Z, next; repeat reg_upd; repeat (split; trivial).
by Assert_upd.

rewrite store.utoZ_def store.acx_mtlo_op store.lo_mtlo_op store.hi_mtlo_op store.utoZ_acx_beta2 // u2Z_Z2u //= -Zplus_0_r_reverse.
apply Zle_lt_trans with ((Zbeta 1 - 1) + (Zbeta 1 - 1) * Zbeta 1); last by done.
apply Zplus_le_compat.
apply Zle_minus_1; by apply max_u2Z.
apply Zmult_le_compat_r.
apply Zle_minus_1; by apply max_u2Z.
by apply Zbeta_0'.
rewrite -Hm2.
by apply store.hi_mtlo_op.
by apply store.lo_mtlo_op.

apply hoare_maddu with (fun s h => exists Z, exists next, length Z = nk /\ [x]_s = vx /\
  [z]_s = vz /\ [m]_s = vm /\ u2Z [k]_s = Z_of_nat nk /\ [alpha]_s = valpha /\
  (var_e x |--> X ** var_e z |--> Z ** var_e m |--> M) s h /\
  u2Z [ext]_s = Z_of_nat next /\ u2Z [ext]_s < u2Z [k]_s /\ [one]_s = one32 /\
  (exists K, Zbeta next * Sum (S nk) (Z ++ [C]_s :: nil) = Sum next X * Sum nk X + K * Sum nk M /\
    Sum next X * Sum nk X + K * Sum nk M < 2 * Sum nk M * Zbeta next) /\
  (next < nk)%nat /\ [X_]_s = nth next X zero32 /\
  [Y_]_s = nth O X zero32 /\ [Z_]_s = nth O Z zero32 /\
  [M_]_s = nth O M zero32 /\ [int_]_s = one32 /\
  [quot]_s = ((((nth next X zero32 [.*] nth O X zero32) [.+] zext 32 (nth O Z zero32)) [.%] 32)
    [.*] [alpha]_s) [.%] 32 /\
  store.utoZ s = u2Z [quot]_s * u2Z (nth O M zero32) +
  u2Z (nth next X zero32) * u2Z (nth O X zero32) + u2Z (nth O Z zero32) /\ store.lo s = zero32).

move=> s h [Z [next [HZ [r_x [r_z [r_m [r_k [r_alpha [Hmem [r_ext [Hextk' [Hone [Hinv [Hextk [r_X_ [r_Y_ [r_Z_ [Hm1 [r_M_ [r_t [Hconcat [Hgrpint_ [r_quot [Hm2 Hm3]]]]]]]]]]]]]]]]]]]]]]]].

exists Z, next; repeat reg_upd; repeat (split; trivial).
by Assert_upd.
rewrite store.utoZ_maddu.
rewrite r_M_ -u2Z_umul store.utoZ_def store.utoZ_acx_beta2 // u2Z_Z2u.
by rewrite Hm2 Hm3 (Zplus_comm (u2Z [t]_s)) -u2Z_concat Hconcat Zmult_0_l -Zplus_0_r_reverse Zplus_assoc.
split; by [apply Zle_refl | apply Zpower_0].
by apply Zlt_le_trans with (Zbeta 2 * 1).

rewrite r_quot; apply montgomery_lemma => //.
by rewrite r_M_ r_alpha.
rewrite store.utoZ_def store.utoZ_acx_beta2 // u2Z_Z2u.
rewrite Zmult_0_l -Zplus_0_r_reverse Zplus_comm -u2Z_concat Hm2 Hm3 Hconcat -u2Z_umul u2Z_add.
rewrite (@u2Z_zext 32) // u2Z_zext.
apply Zle_lt_trans with ((Zbeta 1 - 1) * (Zbeta 1 - 1) + (Zbeta 1 - 1)); last by done.
apply Zplus_le_compat.
by apply (@max_u2Z_umul 32).
rewrite (@u2Z_zext 32) //; apply Zle_minus_1; by apply max_u2Z.
by split; [apply Zle_refl | apply Zpower_0].